Cryptography-Digest Digest #313, Volume #12 Sat, 29 Jul 00 18:13:01 EDT
Contents:
Re: counter as IV? (Simon Johnson)
Re: Just Curious. Are girls/women interested (Paul Rubin)
Re: Elliptic Curves encryption (Jerry Coffin)
Re: How secure is Pegwit? (Boris Kazak)
Re: generating S-boxes ([EMAIL PROTECTED])
Randomize, RandSeed and PRNG (Daniel)
Re: Randomize, RandSeed and PRNG (James Pate Williams, Jr.)
Re: Randomize, RandSeed and PRNG (James Pate Williams, Jr.)
Reference to a public key technique in NYTimes (John Bailey)
Re: Randomize, RandSeed and PRNG (James Pate Williams, Jr.)
Re: Randomize, RandSeed and PRNG (Bill Unruh)
Re: Napster Destruction Part Of Media Cabal's Plan (biugung - OG (original gog))
Using 256bits key for IDEA? ("Vincent Bouret")
----------------------------------------------------------------------------
Subject: Re: counter as IV?
From: Simon Johnson <[EMAIL PROTECTED]>
Date: Sat, 29 Jul 2000 11:13:18 -0700
Yes its desirable, and therefore usally the case, to spen a long
time setting up the sub-keys for the rounds. The reason being is
it makes Brute-Force attacks more computationally difficult, if
the key sheduling algorithm uses wierd and slow functions.
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: Just Curious. Are girls/women interested
Date: 29 Jul 2000 18:40:32 GMT
In article <YiDg5.374$[EMAIL PROTECTED]>,
Ed Suominen <[EMAIL PROTECTED]> wrote:
>See the following paper on the Square cipher I'm checking out, which was
>co-authored by a Joan Daemen. I supposed it's possible that "Joan" is a
>man's name in Belgium or some other foreign country, but it seems more
>likely to be a woman.
>http://www.esat.kuleuven.ac.be/~cosicart/pdf/VR-9700.PDF
Belgian cryptographer Joan Daemen is indeed of the male persuasion.
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: Elliptic Curves encryption
Date: Sat, 29 Jul 2000 13:08:49 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
[ ... ]
> >OTOH, in most cases we can at least do the proof-like thing
> >of classifying things into what we have to assume, and what we can
> >prove based on those assumptions. Better yet, it comes as little
> >suprise when one of those assumptions IS proven.
>
> It probably comes as a nice surprise to the guy who does it, and the
> result is a nasty surprise to a user who loses information, but you
> will get no surprise at all until the guy decides to tell you, and
> that will never happen.
That's highly doubtful -- most of the assumptions I'm talking about
are NOT things that are likely to be found first by a cryptanalyst.
Most proofs about rings, fields, etc., are found by mathematicians
and openly published.
> >With symmetric algorithms we usually can't do that except under one
> >assumption, which is that no better attack than those currently known
> >will ever exist.
>
> There certainly can be, and generally is, a lot more detail to
> symmetric cipher reasoning than that. Most symmetric ciphers have a
> logical basis in mathematics, if only set theory and finite fields.
> Why should it be possible to prove strength in one area of math and
> not another?
I never said it should or shouldn't be possible. At the same time,
the few times I've seen symmetric algorithms with which any sort of
proof was associated AT ALL, it has NOT been a proof of a minimal
computation complexity of a solution or anything close to that. In
most cases it's been a proof that given some set of assumptions the
algorithm was as strong as some other algorithm, but in most cases
there was little to support even a vague notion of the minimum
complexity of solving either one.
One of the most obvious examples is the proof about CBC -- it proves
that using CBC is essentially as strong as the underlying cipher and
does so quite effectively. Unfortunately, in most cases we have
absolutely NO idea of whether about a minimum complexity in a
solution of the underlying cipher.
> >I'm prepared to believe that a statement about (for example) lack of
> >smoothness on an elliptical curve MIGHT be true even though nobody's
> >presently proven it. By contrast, I'm completely certain that better
> >attacks on most symmetric ciphers WILL be invented. IOW, the
> >assumptions in one case MIGHT be correct, while I'm completely
> >convinced of the falsehood of the assumptions in the other case.
>
> So, basically, you are willing to *believe* that one form of
> cryptography -- and only that form -- is capable of strength.
This is a _gross_ mischaracterization of what I said, and it's not
even close to anything I believe. You're an intelligent enough
person that I'm hard put to believe you could read what I wrote and
draw that as an honest conclusion.
> Interesting. What possible basis can one possibly have for imagining
> that the field is bicameral in this way? Shall we imagine that number
> theory is "better" than field theory, or mappings?
Not at all. We shall believe that at least the "proofs" I've seen of
symmetric algorithms were a LOT weaker than the "proofs" I've seen of
PK algorithms. If, for example, there is a proof that TwoFish cannot
be solved with less than a specified amount of work, subject to some
assumptions that look reasonable even though they're unproven, then
that would put it in the same general category as most PK algorithms.
The basis I see for looking at the two in different lights is that I
have not seen such proofs for symmetric algorithms and I have seen
them for PK algorithms. Right now I'm assuming that's a reflection
on what's available, but I'll openly admit that it _could_ simply be
a reflection of what I have and haven't read.
> Math is math, but is more complicated necessarily "better." I don't
> think so, and in fact, I think that's backward. More complicated
> means that somebody only has to be smarter to see something others do
> not, and there is always somebody smarter. In contrast, very
> low-level things like substitutions can be deeply understood by almost
> everyone.
What makes you think that group theory (to use one of your examples)
is fundamentally a lot simpler part of math than number theory?
IMO, by the time you get to a real algorithm with any real security,
symmetric algorithms are generally a LOT more difficult to understand
than PK algorithms.
Just for example, if I wanted to convince a bank management committee
that IDEA is secure enough for their purposes, about the ONLY thing I
could say that I'd be reasonably sure they'd understand would be to
say that a lot of really smart people have studied it for a long time
and been unable to even come very close to breaking it.
With RSA, things would be completely different: I'd simply show how
much more difficult it is to factor a number than to find a couple of
primes and multiply them together.
In short, the fundamental concept of security in RSA is a LOT simpler
to understand than the fundamental concept of security in most
symmetric ciphers. In both cases, proofs of much of anything are
likely to be _considerably_ more complex and well beyond what the
average user cares to understand, but again the concepts involved in
a proof using number theory don't strike me as being fundamentally
more complex: e.g. I think I could explain the concept of smoothness
to an average non-mathematician fairly quickly and easily. If there
was a hard part, it would probably be explaining why such a simple
concept even deserved a name of its own...
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: Boris Kazak <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Crossposted-To: alt.security.pgp
Subject: Re: How secure is Pegwit?
Date: Sat, 29 Jul 2000 19:28:29 GMT
Ed Suominen wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
****** (snip) *************
>
> I hope to soon publish a system I've come up with for
> easily generating very secure, memorizable passphrases, but that's
> another topic. DICEWARE [2] is a very secure passphrase generation
> system, though I find it somewhat cumbersome to use and don't
> particularly like the resulting passphrases.
>
**********(snip)***********
That's what poetry is for. Easily memorizable, provides arbitrary long
randomized passwords. Two examples.
1 Stonecutters, cut it on stone,
Woodpeckers, peck it on wood -
There is nothing for a woman as bad,
As a man who thinks he is good.
Password = SciosWpiowTinfawabAamwthig (How many bits of randomness?)
2 Bis unsere Hand in Ashen stiebt.
Soll sie vom Schwert nicht lassen.
Wir haben lang genug geliebt,
Wir wollen endlich hassen!
Password = BuHiAsSsvSnlWhlggWweh
You can take the last letters of the words as well. Is there a
dictionary
attack already developed against "poetic passwords"?
Best wishes BNK
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: generating S-boxes
Date: Sat, 29 Jul 2000 20:12:54 GMT
Four criteria for good s-box design are:
1. bijection
2. nonlinearity
3. strict avalanche
4. independence of output bits
In article <[EMAIL PROTECTED]>,
Tom Anderson <[EMAIL PROTECTED]> wrote:
> i was wondering about how one generates S-boxes. i'm talking about
> bijective S-boxes, ie permutations. none of that 'first 2048 binary
digits
> of pi / e / root 2' business here, thank you very much. i am right in
> thinking bijective S-boxes are used, right? not as Feistel F-functions
> (mostly), but elsewhere.
>
> i know a good S-box should have various properties, eg avalanche,
> nonlinearity, etc. let's abstract these into a quality measure (call
it
> q), where 0 is rubbish (eg the identity permutation) and big values
are
> wonderful.
>
> my main question is this: is there a transformation which can be
applied
> to a permutation (eg swapping two entries) that will lead to small
changes
> in q? if, so i imagine simulated annealing would be good at finding
good
> S-boxes.
>
> is there a transformation that always leads to increases in q? in that
> case, making good S-boxes is trivial (i'm guessing no such transform
> exists).
>
> tom
>
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Daniel)
Subject: Randomize, RandSeed and PRNG
Date: Sat, 29 Jul 2000 20:28:57 GMT
Using a computerlanguage like Delphi, one can call the Randomize
function, which in fact fills the RandSeed with a number based on the
current time (since 00:00:00). What actually happens when we call the
Random function? What is the interplay between Random and RandSeed?
How are these 'random' numbers calculated? I suppose that there are a
few methods/algorithms available. Where can I find more info on this
subject?
Are there other (pseudo) random number generators available for
Delphi?
------------------------------
From: [EMAIL PROTECTED] (James Pate Williams, Jr.)
Subject: Re: Randomize, RandSeed and PRNG
Date: Sat, 29 Jul 2000 20:54:41 GMT
On Sat, 29 Jul 2000 20:28:57 GMT, [EMAIL PROTECTED] (Daniel)
wrote:
>
>Using a computerlanguage like Delphi, one can call the Randomize
>function, which in fact fills the RandSeed with a number based on the
>current time (since 00:00:00). What actually happens when we call the
>Random function? What is the interplay between Random and RandSeed?
>How are these 'random' numbers calculated? I suppose that there are a
>few methods/algorithms available. Where can I find more info on this
>subject?
>
>Are there other (pseudo) random number generators available for
>Delphi?
They probably use the linear congruence method:
X[n+1] = a * X[n] + b (mod T)
where X[0] is the seed. This is a method of rapidly generating
pseudo-random numbers. See Knuth volume 2 for more information on the
generation of "good" pseudo-random numbers. I have an implementation
of the additive pseudo-random number generator from Knuth. Also, do a
web search on the "Mersenne twister", another pseudo-random generator
with "good" statistical properties.
==Pate Williams==
[EMAIL PROTECTED]
http://www.mindspring.com/~pate
------------------------------
From: [EMAIL PROTECTED] (James Pate Williams, Jr.)
Subject: Re: Randomize, RandSeed and PRNG
Date: Sat, 29 Jul 2000 21:00:02 GMT
On Sat, 29 Jul 2000 20:54:41 GMT, [EMAIL PROTECTED] (James Pate
Williams, Jr.) wrote:
>On Sat, 29 Jul 2000 20:28:57 GMT, [EMAIL PROTECTED] (Daniel)
>wrote:
>
>>
>>Using a computerlanguage like Delphi, one can call the Randomize
>>function, which in fact fills the RandSeed with a number based on the
>>current time (since 00:00:00). What actually happens when we call the
>>Random function? What is the interplay between Random and RandSeed?
>>How are these 'random' numbers calculated? I suppose that there are a
>>few methods/algorithms available. Where can I find more info on this
>>subject?
>>
>>Are there other (pseudo) random number generators available for
>>Delphi?
>
>They probably use the linear congruence method:
>
>X[n+1] = a * X[n] + b (mod T)
>
>where X[0] is the seed.
>From Abramowitz and Stegun, _The Handbook of Mathematical Functions_
page 950, the sequence defined above will have a full period of T if:
(i) b is relatively prime to T
(ii) a = 1 (mod p) if p is a prime factor of T
(iii) a = 1 (mod 4) if 4 is factor of T
==Pate Williams==
[EMAIL PROTECTED]
http://www.mindspring.com/~pate
------------------------------
From: [EMAIL PROTECTED] (John Bailey)
Subject: Reference to a public key technique in NYTimes
Date: Sat, 29 Jul 2000 20:50:20 GMT
quoting:
Now add another candidate: three mathematicians at Brown University
have capped six years of research with a patent for an encryption code
they say will make it impractical -- if not impossible -- to infringe
copyrighted data like digital music.
The mathematicians, Jeffrey Hoffstein and Jill Pipher, both of
Pawtucket, R.I., and Joseph Silverman of Needham, Mass., patented a
system they said could quickly encode every second of a data stream
with a different encryption key. That means that a typical three-
minute song could be scrambled into 180 different codes; anyone
taking the time to break a single code would be rewarded with only one
second of music.
quoted from
http://www.nytimes.com/library/tech/00/07/biztech/articles/03pate.html
Their patent:
http://www.patents.ibm.com/details?&pn=US06081597__
includes the claim:
A method for encoding and decoding a digital message m, comprising the
steps of: selecting ideals p and q of a ring R;
generating elements f and g of the ring R, and generating element Fq
which is an inverse of f (mod q), and generating element Fp which is
an inverse of f (mod p);
producing a public key that includes h, where h is congruent, mod q,
to a product that can be derived using g and Fq ;
producing a private key from which f and Fp can be derived;
producing an encoded message e by encoding the message m using the
public key and a random element .o slashed.; and
producing a decoded message by decoding the encoded message e using
the private key.
Can someone point me to prior discussion of this technique?
Are there accessible background references?
Thanks
John
------------------------------
From: [EMAIL PROTECTED] (James Pate Williams, Jr.)
Subject: Re: Randomize, RandSeed and PRNG
Date: Sat, 29 Jul 2000 21:44:58 GMT
On Sat, 29 Jul 2000 20:54:41 GMT, [EMAIL PROTECTED] (James Pate
Williams, Jr.) wrote:
>On Sat, 29 Jul 2000 20:28:57 GMT, [EMAIL PROTECTED] (Daniel)
>wrote:
>
>>Are there other (pseudo) random number generators available for
>>Delphi?
>
>They probably use the linear congruence method:
>
>X[n+1] = a * X[n] + b (mod T)
>
>where X[0] is the seed. This is a method of rapidly generating
>pseudo-random numbers. See Knuth volume 2 for more information on the
>generation of "good" pseudo-random numbers. I have an implementation
>of the additive pseudo-random number generator from Knuth.
Here is a C++ implementation of the additive pseudo-random number
generator. See _Seminumerical Algorithms the Art of Computer
Programming Volume 2_ by Donald E. Knuth second edition page 27
Algorithm A (Additive number generator).
class Random {
private:
int j, k, m, X[55], Y[56];
public:
Random(void) {
bool even = true;
int i;
j = 24;
k = 55;
m = RAND_MAX + 1;
srand(time(NULL));
for (i = 0; i < 55; i++) {
X[i] = rand();
if (even)
even = (X[i] & 1) == 0;
}
// check to see if all X are even and make one odd
if (even) {
i = rand() % 55;
if (X[i] == RAND_MAX)
X[i] = 1;
else
X[i]++;
}
for (i = 1; i <= 55; i++)
Y[i] = X[i - 1];
}
Random(const Random &random) {
int i;
j = random.j;
k = random.k;
m = random.m;
for (i = 0; i < 55; i++)
X[i] = random.X[i];
for (i = 1; i <= 55; i++)
Y[i] = random.Y[i];
}
int nextRandom(void) {
Y[k] = (Y[j] + Y[k]) % m;
if (Y[k] < 0) Y[k] += m;
j--;
if (j == 0) j = 55;
k--;
if (k == 0) k = 55;
return Y[k];
}
};
==Pate Williams==
[EMAIL PROTECTED]
http://www.mindspring.com/~pate
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Randomize, RandSeed and PRNG
Date: 29 Jul 2000 21:48:38 GMT
In <[EMAIL PROTECTED]> [EMAIL PROTECTED] (James Pate Williams,
Jr.) writes:
]On Sat, 29 Jul 2000 20:28:57 GMT, [EMAIL PROTECTED] (Daniel)
]wrote:
]>
]>Using a computerlanguage like Delphi, one can call the Randomize
]>function, which in fact fills the RandSeed with a number based on the
]>current time (since 00:00:00). What actually happens when we call the
]>Random function? What is the interplay between Random and RandSeed?
]>How are these 'random' numbers calculated? I suppose that there are a
]>few methods/algorithms available. Where can I find more info on this
]>subject?
]>
]>Are there other (pseudo) random number generators available for
]>Delphi?
]They probably use the linear congruence method:
]X[n+1] = a * X[n] + b (mod T)
]where X[0] is the seed. This is a method of rapidly generating
]pseudo-random numbers. See Knuth volume 2 for more information on the
]generation of "good" pseudo-random numbers. I have an implementation
]of the additive pseudo-random number generator from Knuth. Also, do a
]web search on the "Mersenne twister", another pseudo-random generator
]with "good" statistical properties.
But all have bad cryptographic properties (ie a "few" values allow you
to predict all successive values). Ie, the values are highly correlated
with a somewhat weird correlation function ( the solution to the
generator).
------------------------------
From: biugung - OG (original gog) <[EMAIL PROTECTED]>
Subject: Re: Napster Destruction Part Of Media Cabal's Plan
Date: Sat, 29 Jul 2000 21:53:36 GMT
In article <8ls0bp$5rd4$[EMAIL PROTECTED]>,
"Bill Mulcahy" <[EMAIL PROTECTED]> wrote:
>
> I don't like this court order shutting down Napster.
>
> Basically, it is the court telling a computer user we cannot make a
copy of
> a piece of music from another computer user!!! No doubt they would
stop
> people from taping radio music if they could. This is an outrage.
What's
> next, the hate speech ban?
>
> It's time freedom lovers unite and fight against the new tyanny of
those who
> would control us.
>
> Bill Mulcahy
Seems odd though. Napster shut down. Did you watch late night news?
Or rather early morning news? The mentioned napster being shut down
like every minute.
Then I log in to see "napster gets a reprieve". Its like one big
advertisement... Not for napster sharing Mp3's, but for the whole idea
itself...
Then I just get this in my e-mail:
http://www.wired.com/news/technology/0,1282,37874-2,00.html
The part about human genome jumps out at me. I click the link, then
check the other link about Rumor.
Then I got to thinking. A napster style software with authentication
(public key) allowing the passing on and sharing of.... information.
Perhaps proprietary info, like this, with other people. Who they can
talk to and get ideas from depends on they're "clearance"...
You can even have a neato little virtual payment/cash system. You get
what you put out. A great way to propogate an idea.... I dont want to
say too much...
Peer-to-peer is here....
http://www.crn.com/Components/Search/Article.asp?ArticleID=18560
How about a peer to peer usenet protocol where all usenet messages are
taxonomically ordered occording to writing style (like in the code of
writing style analysis software), word cadence, keywords, ect?
Beats the empiric method... And law enforcement agencys could not be
accused of abuses of human and civil rights like with echelon or
carnivore....
Because its simply a filtering and ordering protocol. What the users
get from it is another story. On the back end you could come up with
some pretty interesting empathys without needed to fill out a search
warrant form and submit it to a judge.
You then "read" the messages with a program similar to Newsmonger, but
on steroids. You dont get data according to usenet charter, rather, the
actual word style, cadence, writing style or keywords, e-mail address,
ect. Boolean methods just plain suck. Try searching for something
you know exists. Try finding out when a page with what you may want
to read is published on the web.... That is IF its registered with
search engines..... Hooo boy.
I need to think about this a bit more....
--
[EMAIL PROTECTED] contain proprietary material-All rights
reserved-Permission to archive/test/translate into other languages-
ICQ: 23934701 - Fax: 603-737-8274 -- Subject to evidentiary statutes
=-=-=-=-==-=-=-=-=-=-=-=-==-=-=-=-===-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
"Any abberation [sic] that effects the human mind must have a three
dimensional coordinate point in the human nervous system." - William S.
Burroughs
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Vincent Bouret" <[EMAIL PROTECTED]>
Subject: Using 256bits key for IDEA?
Date: Sat, 29 Jul 2000 22:01:00 GMT
Hello,
Will it be more secure to use a 256 bits key with IDEA? I would change the
key generation part to deal with 256 bits but I would like to know for how
much bits should I rotate the key (in the original 128bits version it's 25)
but with 256 bits I guess that must be higher.
I am also wondering when I need to swap the 16bits inner blocks in the algo.
In AC (Applied Crypto) from Bruce Schreiner there's a mistake with the test
data (the blocks are never swapped).
I read you have to swap them each round excepted for the last. Is it true?
And what about the decryption part?
Thank you
Vincent
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
